Archive for the ‘Security’ Category

After reading this article on Slashdot about NSI immediately registering every free domain that is searched for on their site, I went ahead and tried it myself. Indeed, seconds after searching for two random domain-names they were immediately registered (or locked). They even put a domain-parking page on it. Since this is all fully automated I can’t help but wonder what would happen if somebody were to search for all sorts of trademarked names, especially from companies that are fairly aggressive in suing for trademark infringements. I wonder if they thought about that …

I’m using many of the services Google has to offer, GMail being one of the many. I’ve noticed a couple of times now that when I logout from Google’s single-sign-on, but then go back to GMail (type in URL, not back-button) I’m still logged in despite that the Google main page or any of the other services. I can even access all sorts of old email so it’s not some strange cache-issue. I can’t quite reliably reproduce it, but it happens somewhat frequently.

I’m wondering whether Firefox does something strange in the way it clears cookies or does Google use an extra authentication-cookie for GMail that is not always deleted.

I wrote about the problems with PHP strings here and the possible solution I liked using a class encapsulating strings in PHP. I now worked out some details to make every string function in PHP work with the new “SafeString”-class. You can find the details and source here. This is still more a proof-of-concept and for all practical purposes would require the re-writing of a couple of things like database abstraction layers and such to return SafeStrings as well.

Captchas are these little word-puzzles in images that web-sites use to keep spammers and bots out. They are everywhere and even the New York Times had an article about Captchas recently. It turns out it’s a nice exercise in applying some machine learning to break these things (with lots of image manipulation to clean up the images). Since spam-bots are becoming smarter, people are switching to new kinds of Captchas. My favorites (using images) so far are Kittenauth and a 3D-rendered word-captcha.

A while ago I read about an idea to make it easier to avoid common programming mistakes in PHP regarding the handling of strings. There are dozens of attacks that one must pay attention to when using strings: you have to escape your string one way when you embed it in an SQL statement, escape it in a different way when outputting it as part of a web-page (XSL attacks), and escape it in a third way when you output it as part of a HTTP-header. It’s not surprising that eventually somewhere something will be not escaped in the right way.

Wells suggests a SafeString class to encapsulate all Strings in a class with different access methods that automatically escape your string the right way. So if you were to output the string back to the user, you’d call a toHTML() method that properly escapes any HTML-tags and special characters embedded in the string. A method to access the raw string would be called “UnsafeRawString” to remind the programmer that the string contains “tainted” user-input. While it is still possible to do something wrong, these parts stick out in the code (for example, one might use String->toHTML() when using it in an SQL statement – obviously wrong, but much easier to find). See “Making Wrong Code look Wrong” for the underlying philosophy.

I really like the idea, but I see a couple of practical problems with this idea:

All strings, including Server variables and Super-Globals, should be automatically converted to the new String class. Otherwise the programmer has to constantly figure out if he/she is dealing with an encapsulated string or not.

You’d need a database abstraction layer that will return these kind of strings as results of queries.

All the existing PHP string operations (from strcmp to soundex) must be usable. This can be tricky, but interestingly PHP5 offers a way with __call to overload the object with arbitrarily named functions (see overload() function in PHP4). With some eval-magic this could be doable. Technically you wouldn’t want anybody to ever to work with the UnsafeRawString…

Bruce Schneier gave a speech of how human psychology affects computer security. Very true as security software is often too cumbersome to use. Email encryption is still not common place while SSL as an end-to-end encryption is. It’s easy to use and people have been trained to look for that little golden padlock in the corner before entering their credit-card. Yet I feel that there are a couple of things that could be done to encourage people to pay more attention when it comes to computer security related things. In my opinion this isn’t happening because:

Most people are good and assume that other people are good too. They hold the door open for the guy that left his badge in the car, they click on the “cool link”, they open email that looks like it might be from someone important.

Most people see security problems as something that happens to someone else. Most breaches are never publicized, some publicized breaches are so huge (millions of credit card number copied – yet nothing happens to them or anybody they know) – this enhances the belief in the low likelihood of problems. We feel save in a crowd.

Most people believe they know what they are doing. Some other people are pretty learning-resistant when it comes to computers. I’ve heard some stories from companies in which the IT-staff is supposed to do user-training as well in addition to the external training the people received in the beginning (try to get accounting to explain to you over and over again how to file reimbursement claims). Maybe we really need a computer-drivers-test, but then again drunk driving can kill people while drunk computing can not.

People get bored. Cry Wolf too often, ask a person to be careful too many times in the face of a relatively low-probability event and they become trained to click “Yes, I’m sure.” (This will be interesting with Windows Vista) We are constantly bombarded with awareness-programs which makes the IT-security awareness compete with many other awareness-programs.

There is no incentive. Most people (employees) don’t face consequences when their PC is infected or the company database gets stolen. People have the neighbors kid come over to remove all the spyware from the machine and so on. Avoidable security problems like spyware turn into a “car maintenance problem”.

I think on the incentive side there is a lot that can be done. In the industry a lot experience has been gained with safety incentive programs to reduce accidents. I found a study cited on a website where it states that the reinforcing safe of acts “removes the unwanted side effects with discipline and the use of penalties; it increases the employees’ job satisfaction; it enhances the relationship between the supervisor and employees” (McAfee and Winn 1989). Properly designed incentives have the approval of the people to whom they are addressed, and are often preferred to other forms of safety motivation such as laws and policing. Probably some incentives could be created to educate the users and teach them safer computer practices. For example, to make people think more carefully about following links in email (phishing!) one could send fake phishing emails; if the user clicks on a link he gets on a page that informs him that this could have been trap and to always enter the URL directly into the browser address bar. It’s possible to track who clicked and who didn’t with specially crafted URLs in the emails. Similar things could be done with harmless executable attachments. I think this is a direction that should be pursued.

Both Tim and Michelle (XP SP2) have the McAfee firewall and virus-scanner installed on their machines. Both their machines came up with a little dialog-box upon boot up today requesting to please connect the machine to the Internet right now to verify the subscription. Clicking cancel will result in an “are you sure” question and upon confirmation (i.e.: “yes, verify the subscription some other time”) it disabled the firewall and the virus-scanner (the little M-icon in the tray turns black). I didn’t notice it at first. You have got to be kidding me! Just because the software can’t check for newer virus-signatures it shouldn’t be disabling the virus-scanner or the firewall. Especially not the firewall as that probably won’t be have to be kept up-to-date. You can re-enable both by clicking your way through the security center, but I wonder how many machines on the Internet right now are left without protection….

I just helped Michelle get her Cisco VPN Client to work after she got an “Error 51” asking her to ensure that she at least one network adapter enabled (which was the case). The client software wouldn’t even startup to let us configure anything. After a couple of calls to tech-support, finding out that the error isn’t explained in the manual and a re-installations we found the following to work: disable the Firewall and Virus-software (McAfee in that case; make sure your machine is still behind another firewall, e.g. your routers’ firewall), go to the Control Panel > Administrative Tools > Services. Then stop and restart the “Cisco Systems, Inc. VPN Service”. The startup setting should be set to automatic BTW.

I still don’t quite understand why this works (Shouldn’t the client communicate with the service using named pipes? Shouldn’t the firewall be irrelevant for the startup of the client?), but hey…

Please leave a comment if that worked for you; or whatever workaround you found. Thanks.

Ever tried to install some PHP app for your website? Especially the ones that come with a sql-schema file that you need to run through MySQL? What I wonder about is that many of these applications – PHPNuke for example – support prefixing table names. Having non-standard table names can be helpful in making SQL-injection attacks more difficult. Not impossible, mind you, it just adds another layer of obscurity – but of the shelf script-kiddie exploits won’t work anymore. And yet editing such a schema file is a pain for administrators. Which explains why people rarely do it…